Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS

ITU Digital Financial Services Security Lab

8 July 202110:00 – 11:00 AM, CEST

Arnold Kibuuka, ITU

DFS Security Lab

There is not a common approach for regulators, developers and DFS providers to test DFS mobile apps in a complex mobile ecosystem in order to

provide/verify the level of assurance on security.

The DFS security lab provides a common methodology to conduct

security audit for DFS applications and address systemic

vulnerabilities.

DFS Security Lab

Collaborate with DFS regulators and DFS providers to enhance the cybersecurity strategy for DFS and security assurance of the DFS ecosystem by implementing the recommendations in the DFS Security Assurance Framework, methodology for testing of USSD, STK and Android apps and DFS Security Audit Guidelines.

https://figi.itu.int/figi-resources/working-groups/

DFS Security Lab Objectives

Collaboration with DFS regulators on security

Knowledge sharing on threats to security of DFS

apps

Organise security clinicsAssist DFS regulators to evaluate the cyber preparedness for DFS

ecosystem

Encourage adoption of international standards on

DFS security

Perform DFS security audits of DFS Apps

DFS Security Lab Components

Security audit of Android DFS apps

using OWASP Mobile Top 10 Risks.

Developer resources for strong authentication

using FIDO

Security testing for USSD and STK

USSD & STK Security Tests

d. Simulate man-in-the-middle attacks on STK based DFS applications

b. Testing susceptibility to binary OTA attacks (SIM jacker, WIB attacks)

c. Testing remote USSD execution attacks

a. SIM Swap and SIM clone testing

*100#

*100# *100

#

*stkmsg#

*mstkmsg#

Android DFS security tests (based OWASP Mobile Top 10 Risks)

Risks Security test

M1 Improper Platform UsageCheck misuse of platform features or failing to use platform security controls provided

M2 Insecure Data StorageCheck that malware and other apps do not have access to DFS sensitive information

M3 Insecure CommunicationCheck that communication channels are encrypted

M4 Insecure AuthenticationAuthentication cannot easily be bypassed

M5 Insufficient Cryptography Check crypto algorithms used

M8 Code TamperingCheck whether it is possible to modify the code

M9 Reverse engineering Decompile source code7

dfssecuritylab@itu.int https://figi.itu.int/figi-resources/dfs-security-lab/

Get in touch

Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS

5 -19 July

Mobile payment appsTesting for vulnerabilities using the OWASP Mobile Top Ten

Philippe Oechslin, Objectif Sécurité

philippe.oechslin@objectif-securite.ch

Executive summary

• Developed method for testing DFS apps on Android• 18 tests organized according to OWASP mobile top ten

• Tested 3 applications• Payment applications

• They all have different ways of not implementing the best practices!• No critical issue detected

1 Introduction

• DFS: Applications used for payment and money transfer without the need of having a bank account

• OWASP: The Open Web Application Security Project www.owasp.org• A collaborative, non-for-profit foundation that works to improve the

security of web applications• Also works on security of mobile applications

• OWASP Mobile Top Ten• OWASP project that aims to identify and document the top ten

vulnerabilities of mobile applications

2 The tests

• Our tests are organized according to the subjects of the OWASP Mobile Top Ten:

• M1 Improper Platform Usage• M2 Insecure Data Storage• M3 Insecure Communication• M4 Insecure Authentication• M5 Insufficient Cryptography• M6 Insecure Authorization• M7 Client Code Quality• M8 Code Tampering• M9 Reverse Engineering• M10 Extraneous Functionality

• M6, M7, M10 out of scope because they would need access to the source code or require collaboration with the editor

M1 Improper Platform Usage

The application should make correct use of the features of the platform (phone’s operating system)

• Allow cloud backup,

• debugging,

• install location,

• dangerous permissions

M2 Insecure Data Storage

Data should be stored in a way that limits the risks in case of loss or compromise of the phone

• Use of external storage

• Disabling screenshots

M3 Insecure Communication

Protect against eavesdropping and manipulation of traffic

• Use of HTTPS

• Only accept trusted certificates

• Only accept a specified certificate

• App manifest should not allow clear text traffic

M4 Insecure Authentication

Prevent unauthorized access to the application

• Request pin/fingerprint before accessing sensitive information

• Inactivity timeout

• Handling of new fingerprints

M5: Insufficient Cryptography

Cryptography can only protect confidentiality and integrity of data if correctly implemented

• Do not use unsafe crypto primitives (e.g. MD5, SHA-1, RC4, DES, 3DES, Blowfish, ECB)

• Configure HTTPS according to best practices

M8: Code Tampering

Prevent an attacker from tampering the code on the telephone

• Refuse to run on a rooted device

M9 Reverse engineering

Prevent attackers from analyzing the logic of the application

• Obfuscate the code

28.09.2020 Ph. Oechslin 12

3. Results

• Three applications have been tested with the same method

• Only failed tests are described below

28.09.2020 Ph. Oechslin 13

3.1 App1

Payment app, backed by a bank account, credit card or prepaid

Has permission to write to external storage external storage and, if it did, that this data is sensible.

Uses the weak crypto (MD5 and SHA-1, ECB), probably not for critical data

Interception of data shows names, phone numbers and amounts in clear inside HTTPS connection

Runs on rooted devices

28.09.2020 Ph. Oechslin 14

3.2 App2

App2 is provided by a mobile network operator that provides digital financial services in areas in which they operate across Africa

• Sends some traffic in clear text (not sensitive data)

• Does not require a PIN or fingerprint every time, PUK can be accessed

• Uses the weak crypto (SHA-1, random number generator), probably not for critical data

3.3 App3

App3 is also provided a mobile operator and in several countries across Africa and Asia. The app makes it possible for users to send money to contacts, pay for goods and services

Screenshot is not disabled when running

Trusts the certificates trusted by the phone (enables interception)

Requires permission to send clear text traffic

Does not require a PIN or fingerprint every time, balance can be accessed

Uses the weak crypto (MD5, SHA-1, random number generator), probably not for critical data

Summary of results

• No critical vulnerabilities were detected but• App1 has no application-level encryption

• App2 displays PUK without requiring PIN

0

25

50

75

100

M1:Improper

platform usage

M2:Insecure

Data Storage

M3:Insecure

Communication

M4:Insecure

Authentication

M5:Insufficient

Cryptography

M8:Code

Tampering

M9:Reverse

Engineering

App1

App2

App3

4 Conclusions

• The tests allow an independent evaluation of the security of DFS apps

• Done locally, without access to code or server

• Detects missing best practices

• Detailed analysis of impact would require collaboration of the provider

• Provider could do more for security and transparency• Open source their applications

• Offer Bug bounty programmes

Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS

Blockchain and Cybersecurity challenges and opportunities for emerging economies

Blockchain for financial inclusion

8 July 202110:00 – 11:00 am, CEST

By Suzana Maranhão Moreno, BNDES

An option to

generate TRUST

DLT/Blockchain

Relevant Factors for not having a Banking Account

MAJORNot enough money / too expensive

Family member already has account

Lack of necessary documentation

Too far away

Refs: http://www.fatf-gafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_Financial_Inclusion_2013.pdfhttps://www.worldbank.org/content/dam/Worldbank/Research/GlobalFindex/PDF/N2Unbanked.pdfhttps://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/yayafanusie/2021/01/01/stop-saying-you-want-to-bank-the-unbanked/amp/

Can DLT help to make financial services cheaper?

Digitalization many times leads to more affordable services.DLT is a technology to that, enabling some new possibilities and permissionless innovation.

Remittance

Stablecoin

DeFi

CBDC

Payments

Finanças Descentralizadas

LendingTrading

Payments

ExchangesInsurance

Can DLT help to make financial services cheaper?

Ref.: WEF, Decentralized Finance (DeFi) Policy-Maker Toolkit

Can DLT increase aid to vulnerable people?

From Hyperledger Global Forum:

Transparency -> Accountability -> Empathy -> Action

Technology may help to increase the trust and transparency of social projects, leaded by private or public sector. follow the money

compliance by design

hyper-transparency

programmable money

Can DLT help to create market opportunities to vulnerable people?

Technology may enable new business models, data ownership and new relationships based on trust.

Recycling activities more transparent and valuable

Farmers with data ownership in supply chain

Relevant Factors for not having a Banking Account

MAJORNot enough money / too expensive

Family member already has account

Lack of necessary documentation

Too far away

Refs: http://www.fatf-gafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_Financial_Inclusion_2013.pdfhttps://www.worldbank.org/content/dam/Worldbank/Research/GlobalFindex/PDF/N2Unbanked.pdfhttps://www-forbes-com.cdn.ampproject.org/c/s/www.forbes.com/sites/yayafanusie/2021/01/01/stop-saying-you-want-to-bank-the-unbanked/amp/

Can DLT help to deal with the lack of documentation?

DID, VC, SSIWeb of Certifiers – open ecosystem of certifiers and conditions

Id + verifiable credit history

Refs: https://www.w3.org/TR/did-core/https://www.w3.org/TR/vc-data-model/https://www.kiva.org/https://www.igi-global.com/chapter/a-survey-of-kycaml-for-cryptocurrencies-transactions/261722https://www.defi-for-good.com/

ITU-T DLT Technical Interoperability Framework

Chain A

Node 1

Node 2 Node 3

Chain B

Node 1

Node 2 Node 3

Off-chain Data

Finacial Data Government Data Industrial Data Others

Application

Fiancial

Application

Government

Application

Industrial

ApplicationOthers

2 2

33

1

Refs: ITU DLT Meet-ups - https://www.itu.int/en/ITU-T/webinars/Pages/dlt.aspx (see first episode)SG16/Q22 H.DLT-TFI - Technical Framework for distributed ledger technology (DLT) Interoperability

hso.com

GOVERNANCE

NETWORK

SERVICES

Foster innovation for public interest applications, withspecial emphasis on enabling trust for anti-fraud and pro-

transparency measures. (aligned with Brazilian Digital Government Strategy 2020-2022)

111#Nodes

58#Entities with Nodes

15#Countries

https://www.lacchain.net/

Lacchain and Brazilian Blockchain Network

Focus on Inclusion

Emerging technologyfor connectivityAccelerating digital transformationin LDCs, LLDCs and SIDS

5 -19 July

By Suzana Maranhão Moreno, BNDESsuzana@bndes.gov.br